Solved

AD Design

Posted on 2012-03-25
7
457 Views
Last Modified: 2012-04-13
HI Experts,

we have single domain and recently we purchased three companies, My job was to handel Security side and other Admin was handling AD.... now he left and i have to resolve all issues..i do have Manging AD Network but i would be greatful if a expert can share his experience with me.

Background:
we will have totally 100 offices, 2500n users, as off now the companies have very poor IT Team + Infrasturcutre. i was planning to keep our doamin and add child doamin or simply add rodc on all the office.... i have made a chart like this

branch users less then 7------------NO DC/NO RODC (Authentication via VPN)
branch users less then 15-25------RODC
branch users less the 25 above---DC

we will be using Sonicwall as a Secuirt Device + Symantec Endpoit Suit 4.0...
All the application serevr will be @ HO, we will have two Applications.

Questaion:
DNS/Subnet
how many subents should i make?

AD
Shall i keep single domain or make child doamin where users are more?
 
Exchange
i am planning to have exch 2010 on win 2008 ENT.

best regards,
Syed
0
Comment
Question by:Syed_M_Usman
7 Comments
 
LVL 21

Accepted Solution

by:
yo_bee earned 125 total points
ID: 37762689
If you plan to have a DC (Read/write or RODC) you should setup your Sites and Services accordingly so that users do not traverse your WAN to authenticate or other DNS application resolutions. So different subnets or vLans would be the best practice.

Active Directory Sites and Services

When it comes to RODC or RWDC that is all up to you.  Having a RWDC can't hurt, but if there is no one in the Branch office/offices that will be administering the DC I would just place a RODC in all Branch offices and manage all changes from the data center.

If your management is heterogeneous across the domain and there is no need for isolation then I say a single Domain and just organize your domain using OU's.

I really can't answer much on Exchange 2010 with little knowledge, but it might be best to place Exchange Database server for the larger branch offices and allow for the Hub Transport to send the e-mail to the proper Exchange Database Server.  The issue you run into is how to backup that data.
0
 
LVL 2

Assisted Solution

by:v-2sukum
v-2sukum earned 125 total points
ID: 37763023
Hi Syed_M_Usman,

Congrats that your company is growing in size, the first question that you have is about partent and child structure. I would suggest to migrate all the company to a single domain structure, in this way it will be easy for you to manage the domain the IT persons and all the changes can be easily monitired form a single location and will also help you in makeing it a nice documented domain.

about the placement of DC and RODC, the best option is to place RODC in a branch option where you do not have any IT person,

Less than 25 users -- NO DC
users grater than or equals 50 RODC
users more than 50 WDC ( write abel DC)

selecta hub site where you are placed so that you can manage stuff,  and for replication select Hub and spoke topology or mess it should not be  pain doing it.

My suggestion is to go for a single domain structure it has a lot of advantages.
after which you can plan for exchange migration to 2010.
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 37763284
RoDCs should be used for security purposes, not just because an office is small.  In environments where you can physically secure the server, I would ask why you want an RoDC there.  Having a regular DC in those environments you can physically secure would provide a level of redundancy for the network.
0
 
LVL 16

Author Comment

by:Syed_M_Usman
ID: 37764423
Thank you all experts,,,,, it is pleasure to see you in my question.

Expert: yo_bee
1) Some ps the braches will not have any IT/Support staff so RODC could be better option
2) Some of Branches will have only 3-5 Staff, so RODC could be better option

"If your management is heterogeneous across the domain and there is no need for isolation then I say a single Domain and just organize your domain using OU's" i was planning for the same.... i think more flaxable and easy to manage

Expert:v-2sukum
"I would suggest to migrate all the company to a single domain structure" thank you for your suggestion.

"and for replication select Hub and spoke topology or mess it should not be  pain doing it" Could you please light more on your comments???

Expert Leew:
Pleasure to see you here :), "Having a regular DC in those environments you can physically secure would provide a level of redundancy for the network" i do agree with you but you answer your question....
1) Site is 1500KM from my place + 3-5 users staff + no proper data center....


My Planning:
Single Domain, OU for per site Mgmt, Each site OU will have Three More OU
1 for Users
1 for Computer
1 for Servers

i am planning to have Win 2008R2 Ent for DC's
2 on Main Site, and on branch as per required

i am planning to have Win 2008R2 Ent for Exchange 2010
i am not the expert of exchange but planning to have multiple servers to avoid any downtime....

i am planning to create new domain*, and add truest of current doamins with new domain and tranfer brances as as fast as possible... any better idea would be appreciated.

* i dont want to disturbe current network, we have 2 application and it should work at any cost. so i am planning to have new doamin on new hardware and add trust of three domain so all other three domain resources will be shared.... then simply tranfer server roles (Application server) one by one to new domain + all branches.....

Thanks in advance for your help......
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 125 total points
ID: 37772953
My job was to handel Security side and other Admin was handling AD.... now he left and i have to resolve all issues............................................................................................................................................... as off now the companies have very poor IT Team + Infrasturcutre.


The last thing in the world you want to do is make things more complicated.   You have one Domain,...so keep it that way!!  Put a DC at each physical location and setup the AD Sites and Services to cover the control of the AD Replication over the slow WAN Links.  It will also help make sure the users authenticate against the DC that is close to them.

Subnets:
That is an easy one.  One IP Segment at each physical location unless a location has more than 200 hosts.  So if a Site has more than 200 then "for every 200 Hosts start a new IP Segment".  Never make a Segment bigger than a /24 Segment due to the degradation effects of Broadcasts.  Also do not needlessly create subnet all over the place "just because".   Simple Rule to follow,...."for every 200 Hosts start a new IP Segment",....and don't bridge subnets across WAN Links to other sites where you start pounding the WAN links with Broadcasts.

Exchange:
If you aren't using the features of Exchange that require the Enterprise version then don't buy the Enterprise version.  If you aren't using the Enterprise version than don't buy the Enterprise version of the Server OS.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37772962
Then someday in the future when you no longer have a situation where the company has "very poor IT Team + Infrasturcutre", (as you put it)....then you can think about doing other things with the system.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37772976
RODCs have to some degree been a disaster for MS.  I do not recommend an RODC at all anywhere.   The Admin MMC Tools in the Server OS already don't allow normal users to do anything on the Server,...you have to still be an Admin to make changes.  So don't give the Admin credentials to people who cannot be trusted with them.  So there just is no point in an RODC,...the whole world has survived perfectly fine since 1995 (NT4.0) all the way up to 2007 before MS ever invented an RODC with Server2008,...and the world will continue just fine without one.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now